Re: git: 54c62e3e5d8c - main - pf: work around icmp6 packet-too-big not being sent when binat-ing
- Reply: Herbert J. Skuhra: "Re: git: 54c62e3e5d8c - main - pf: work around icmp6 packet-too-big not being sent when binat-ing"
- In reply to: Herbert J. Skuhra: "Re: git: 54c62e3e5d8c - main - pf: work around icmp6 packet-too-big not being sent when binat-ing"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 24 Jan 2024 13:27:19 UTC
On 24 Jan 2024, at 11:06, Herbert J. Skuhra wrote: > On Tue, 23 Jan 2024 19:42:10 +0100, Kristof Provost wrote: >> On 23 Jan 2024, at 19:32, Herbert J. Skuhra wrote: >>> On Mon, 22 Jan 2024 13:52:51 +0100, Kristof Provost wrote: >>>> >>>> The branch main has been updated by kp: >>>> >>>> URL: >>>> https://cgit.FreeBSD.org/src/commit/?id=54c62e3e5d8cd90c5571a1d4c8c5f062d580480e >>>> >>>> commit 54c62e3e5d8cd90c5571a1d4c8c5f062d580480e >>>> Author: Kristof Provost <kp@FreeBSD.org> >>>> AuthorDate: 2024-01-17 17:11:27 +0000 >>>> Commit: Kristof Provost <kp@FreeBSD.org> >>>> CommitDate: 2024-01-22 11:52:14 +0000 >>>> >>>> pf: work around icmp6 packet-too-big not being sent when >>>> binat-ing >>>> >>>> If we're applying NPTv6 we pass a packet with a modified source >>>> and/or >>>> destination address to the network stack. >>>> >>>> If that packet then turns out to be larger than the MTU of the >>>> sending >>>> interface the stack will attempt to generate an icmp6 >>>> packet-too-big >>>> error, but may fail to look up the appropriate source address >>>> for that >>>> error message. Even if it does, pf would still have to undo the >>>> binat >>>> operation inside the icmp6 packet so the sending host can make >>>> sense of >>>> the error. >>>> >>>> We can avoid both problems entirely by having pf also perform >>>> the MTU >>>> check (taking the potential refragmentation into account), and >>>> generating the icmp6 error directly in pf. >>>> >>>> See also: https://redmine.pfsense.org/issues/14290 >>>> Sponsored by: Rubicon Communications, LLC ("Netgate") >>>> Differential Revision: https://reviews.freebsd.org/D43499 >>>> --- >>>> sys/net/pfvar.h | 1 + >>>> sys/netpfil/pf/pf.c | 12 ++++++++++++ >>>> sys/netpfil/pf/pf_norm.c | 15 +++++++++++++++ >>>> 3 files changed, 28 insertions(+) >>> >>> Does this change cause problems for others too? >>> >>> - ssh over IPv6 permanently disconnecting >>> (client_loop: send disconnect: Broken pipe) >>> - ssh connections over IPv6 hanging >>> - git pull not working >>> Fssh_ssh_dispatch_run_fatal: Connection to >>> 2604:1380:4091:a001::24ca:1 port 22: Permission denied >>> fatal: Could not read from remote repository. >>> >> Can you include your pf.conf and a packet capture demonstrating one >> of these issues? > > So I assume this issue affects only me or this server (igb nic). > Disabling tso6 seems to resolve the issue. > Ah. A Clue(tm)! Try this: diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 38a5a45d7991..2dc6d02d330a 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -8515,7 +8515,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb * confused and fail to send the icmp6 packet too big error. Just send * it here, before we do any NAT. */ - if (dir == PF_OUT && IN6_LINKMTU(ifp) < pf_max_frag_size(m)) { + if (dir == PF_OUT && pflags & PFIL_FWD && IN6_LINKMTU(ifp) < pf_max_frag_size(m)) { PF_RULES_RUNLOCK(); *m0 = NULL; icmp6_error(m, ICMP6_PACKET_TOO_BIG, 0, IN6_LINKMTU(ifp)); Best regards, Kristof